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Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings, of claims in the 

application. 
Listing of Claims : 

1 . (Currently Amended) A method to manage secure connections, comprising: 

receiving m afirst initial encrypted packet transmitted from an internal node and 
addressed to a secure port of an external node; 

recording a an unmatched flow comprising an internal address and a security 
identifier associated with said first initial encrypted packet in a list to designate a secure 
connection between said internal node and said external node; 

receiving a subacquent second initial encrypted packet having a security identifier 
and an external address that represents a plurality of internal addresses; 

translating said external address of said second initial encrypted packet by 
selecting one of said internal addresses associated with a an oldest or most recently active 
unmatched flow recorded in said list that comprinoa a Dcourity id e ntifier that matches said 
se curity identifier of said pubooqucnt encrypt e d pack e t ; m4 

communicating said second initial encrypted packet to said selected internal 
addres s: and 

forwarding a subsequent encrypted packet having a security identifier that 
matches said security identifier of said second initial encrypted packet to said selected 
internal address . 
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2. (Previously Presented) The method of claim 1 , further comprising: 
searching a list of security identifiers having associated times; 
selecting a security identifier having an earliest time; and 

retrieving said internal address associated with said selected security identifier. 

3 . (Previously Presented) The method of claim 2, further comprising: 
creating said list; and 

searching said created list. 

4. (Previously Presented) The method of claim 3, wherein said creating comprises: 
receiving an encrypted packet having a predetermined sequence number and a 

security identifier from a device associated with one of said internal addresses; 
determining a time said encrypted packet was received; 
associating said time and said internal address with said security identifier; and 
storing said security identifier with said associated time and associated internal 

address. 

5. (Original) The method of claim 1, wherein said packet is encrypted in accordance 
with the Internet Security Association And Key Management Protocol (ISAKMP). 

6. (Original) The method of claim 1 , wherein said encrypted packet is an Internet 
Protocol (IP) Encapsulating Security Payload (ESP) encrypted packet. 
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7. (Previously Presented) The method of claim 1 , wherein said security identifier is a 
security parameter index (SPI). 

8. (Previously Presented) The method of claim 1 , wherein said security identifier 
represents a tunnel between two devices, and further comprising: 

receiving a message that said encrypted packet was communicated to an incorrect 
internal address; 

determining activity levels for each tunnel terminating at each device represented 
by said plurality of internal addresses; and 

communicating said encrypted packet to an internal address having a tunnel with 
a highest activity level, 

9. (Currently Amended) A method to manage secure connections, comprising: 
creating a list *>f unmatched flows comprising security identifiers to designate 

secure connections by storing security identifiers in response to receiving initial 
encrypted packets addressed to a secure port, with each security identifier representing a 
tunnel terminating at a device having an internal address; 

translating each of said internal addresses to an external address; 

receiving an initial encrypted packet having said external address and a security 
identifier; 

translating said external address of said initial encrypted packet by selecting one 
of said interna] addresses associated with an oldest or most recently active unmatched 
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flow a -s ccurity identifier from said list ^security identifier s tha t match o o said ge cttH iy 

identifier of said encrypted packet having paid external address ; end 

communicating said initial encrypted packet to said selected internal addressiand 
forwarding a subsequent encryp ted packet having a security identifier that 

matches said security identifier of said initial encrypted packet to said selected internal 

address . 

1 0. (Original) The method of claim 9, wherein said tunnel is created in accordance 
with the Internet Security Association And Key Management Protocol (ISAKMP). 

1 1 . (Original) The method of claim 9 ? wherein said encrypted packet is an Internet 
Protocol (IP) Encapsulating Security Payload (ESP) encrypted packet. 

12. (Previously Presented) The method of claim 9, wherein said security identifier is a 
security parameter index (SPI). 

13. (Previously Presented) The method of claim 9, further comprising: 
searching said list of security identifiers having associated times; 
selecting a security identifier having an earliest time; and 
retrieving said internal address associated with said selected identifier. 

1 4. (Previously Presented) The method of claim 9, wherein said creating comprises: 
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receiving an encrypted packet having a security identifier from a device 
associated with one of said internal addresses; 

determining a time said encrypted packet was received; 

associating said time and said internal address with said security identifier; and 

storing said security identifier with said associated time and internal destination 
address. 

1 5. (Currently Amended) A secure connection manager, comprising: 

a flow module to create a list of unmatched flows comprising security identifiers 
to designate secure connections by storing security identifiers in response to receiving 
initial encrypted packets addressed to a secure port, with each security identifier 
representing a secure flow terminating at a device with an internal address; and 

a translation module to select an internal address for an initial encrypted packet 
having an external address and a security identifier, said internal address associated with 
an oldest or most recently active unmatched flow a oocurity identifier from said list ef 
security identifiers that match e s said security identifier of ooid encrypted packet having 
said e xt e rnal address , and to translate said external addres s to said internal address for a 
subsequent encrypted packet having a security identifier that matches said security 
identifier of said initial encrypted packet 



J 6. (Original) The secure connection manager of claim 1 5, further comprising: 

a communication module to communicate said encrypted packet to said selected 
internal address. 
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1 7. (Currently Amended) A system to manage secure connections, comprising: 
a first network node to $end encrypted packets to an external address; 
a second network node to receive said encrypted packets and translate said 

external address to an internal address using a list of security identifiers; and 

a third network node having said internal address to receive said encrypted 

packets, 

wherein said second network node receives w a first initial encrypted packet 
transmitted from said third network node and addressed to a secure port of said first 
network node, said second network node records a an unmatched flow comprising an 
internal address and a security identifier associated with said first initial encrypted packet 
in said list of security identifiers to designate a secure connection between said third 
network node and said first network node, and said second network node translates said 
external address by matching a securi t y id e ntifi er of a second initial encrypted packet 
having a security identifier received from said first network node with a security 
identifier iLnnnoiatod with a bv selecting an internal address assoc i ated an oldest or most 
recently active unmatched flow recorded in said list said second network node 
communicates said second initial encrypted packet to said selected internal address, and 
said second network node forwards a subsequent encrypted packet h aving a security 
identifier that matches said security identifier of said second initial encrypted packet to 
said selected internal address . 

18. (Original) The system of claim 17, wherein said second network node is a router 
configured to perform natural address translation (NAT). 
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19. (Original) The system of claim 17, wherein said first and third network nodes are 
configured to communicate using a tunnel created in accordance with the Internet 
Security Association And Key Management Protocol (ISAKMP). 

20. (Original) The system of claim 1 7, wherein said encrypted packets are Internet 
Protocol (IP) Encapsulating Security Payload (ESP) encrypted packets. 

21 . (Original) The system of claim 1 7, wherein said second network node performs 
said translation using a list of flow identifiers, with each flow identifier representing a 
security parameter index (SPI) and having an associated internal address and receipt time. 

22. (Currently Amended) An article comprising: 
a storage medium; 

said storage medium including stored instructions that, when executed by a 
processor, result in managing a secure connection by receiving as a first initial encrypted 
packet transmitted from an internal node and addressed to a secure port of an external 
node, recording a an unmatched flow comprising an internal address and a security 
identifier associated with said first initial encrypted packet in a list to designate a secure 
connection between said internal node and said external node, receiving a subsequent 
second initial encrypted packet having a security identifier and an external address that 
represents a plurality of internal addresses, translating said external address of said 
second initial encrypted packet by selecting one of said internal addresses associated with 
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ft an oldest or most recently active unmatched flow recorded in said list that comprise** 
s ecurity identifier that matches said ooeurity identifier of ociid oubscquent encrypted 
packet, aad communicating said second initial encrypted packet to said selected internal 
addres s, and fonvarding a sub se quent encrypted pac k et h aving a sec urity identifier that 
matches said security identifier of said seco n d i nitial encryp ted packet to said select ed 
internal address . 

23. (Previously Presented) The article of claim 22, wherein the stored instructions, 
when executed by a processor, further result in selecting one of said internal addresses by 
searching a list of security identifiers having associated times, selecting a security 
identifier having an earliest time, and retrieving said internal address associated with said 
selected security identifier. 

24. (Previously Presented) The article of claim 23 , wherein the stored instructions, 
when executed by a processor, further result in searching said list of security identifiers 
by creating said list, and searching said created list. 

25. (Previously Presented) The article of claim 24, wherein the stored instructions, 
when executed by a processor, further result in creating said list by receiving an 
encrypted packet having a predetermined sequence number and a security identifier from 
a device associated with one of said internal addresses, determining a time said encrypted 
packet was received, associating said time and said internal address with said security 
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identifier, and storing said security identifier with said associated time and associated 
internal address. 

26. (Currently Amended) An article comprising: 
a storage medium; 

said storage medium including stored instructions that, when executed by a 
processor, result in managing secure connections by creating a list of unmatched flows 
comprising security identifiers to designate secure connections by storing security 
identifiers in response to receiving initial encrypted packets addressed to a secure port, 
with each security identifier representing a tunnel terminating at a device having an 
internal address, translating each of said internal addresses to an external address, 
receiving an initial encrypted packet having said external address and a security 
identifier, translating said external address of said initial encrypted packet by selecting 
one of said internal addresses associated with an oldest or most rece ntly active 
unmatched flow a-sccurity identifier from said list of oocurity identifiers that matchon flaid 
security identifier of said encrypted packet having - - paid cxtemol addrooo , met 
communicating said initial encrypted packet to said selected internal address , and 
forwarding a subsequent encrypted packet having a security identifi er that matches said 
security identifier of said initial encrypted packet to said selected internal address . 

27. (Previously Presented) The article of claim 26, wherein the stored instructions, 
when executed by a processor, further result in selecting one of said internal addresses by 
searching said list of security identifiers having associated times, selecting a security 
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identifier having an earliest time, and retrieving said internal address associated with said 
selected security identifier. 



28. (Previously Presented) The article of claim 26, whereto the stored instructions, 
when executed by a processor, further result in creating said list of security identifiers by 
receiving an encrypted packet having a security identifier from a device associated with 
one of said internal addresses, determining a time said encrypted packet was received, 
associating said time and said internal address, with said security identifier, and storing 
said security identifier with said associated time and internal destination address. 
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